access control lists

RHEL6 – Using ACLs to Grant and Restrict FIle Access.

/ Christopher Paquin / Leave a comment

RangerRick

Access Control Lists or ACLs provide more controll over file permissions than standard linux file permissions (UGO — user, group, other). For example lets say that you want all members of the group "students" to have the ability to read a file, however you want to allow one user in that group the ability to write to the file, well ACLs can help you do this.

First thing that you need to know is that you cannot just start using ACLs right away, first you have to make sure that your filesystem is mounted so that ACLs are availible. This means adding ACL to the mount options in /etc/fstab.

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr

So in my fstab, I change the line above to the line below. I know, exciting right?

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr.acl

Now to view the permissions and ACLs on a file use the getfacl command, below i am checking the file RangerRick.jpg in /root/Pictures.  In the example below there are no ACLs assigned, btw.

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
group::r–
other::r–

So lets allow the user "chris" to write to the file, just just read it.

[root@fedora15 Pictures] setfacl -m u:chris:w RangerRick.jpg

Now run getfacl again and check out the difference

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
user:chris:-w-
group::r–
mask::rw-
other::r–

Additonal Examples:

Lets give all users in the group "students" the ability to write to the file, since they may want to modify it and add a photochop their faces over the dear old racoon's face.

[root@fedora15 Pictures] setfactl -m g:students:w RangerRick.jpg

But oh no, user "bert" in the group "students", has decided to modify the file RangerRick.jpg in an in appropriate way, so lets remove his permissions altogether.

[root@fedora15 Pictures] setfacl -x u:bert

Lets say that we want to allow the user "chris" to be able to modify all existing and newly created files in the Pictures directory where the Ranger Rick picture lives.

[root@fedora15 Pictures] setfacl -m d:u:chris:rw /root/Pictures

Note that when a file has ACLs assigned to it, a plus "+" sign will appear in the output of an 'ls-l'

-rw-rw-r–+ 1 root root 148011 Oct 12 15:06 RangerRick.jpg

Honestly you will probably never need to use ACLs, but they are handy to have availible if you run into some sort of situation where you need to grant very particular permissions to files and directories.